Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,169 questions
Sysmon - Non-ASCII character in the ParentUser and ParentCommandLine field
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 7.000000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Robert Morningstar
0
Reputation points
Has anyone seen this behavior with Sysmon: getting non-ASCII characters in the ParentUser, and ParentCommandLine fields? Sometimes it looks like another language character set, other times it is WingDings or some other non-sensical characters. This screenshot is from Splunk and is a screenshot of 2 devices over a 60 minute sampling window. Only happens with Event code = 1. Cannot determine a pattern and it is a rare event. In the last 24 hour period 10 events with this issue out of 895,000,000+.
The screenshot is from a Splunk query. I have verified that the non-ASCII characters are in the native Windows event logs BEFORE they are forwarded to Splunk.
Bob M.
Sysinternals
{count} votes
-
Robert Morningstar 0 Reputation points
2024-07-10T15:29:36.2233333+00:00 Also the errors seem to be coming from various versions of Sysmon, it does not appear to be limited to one particular executable version number.
Sign in to comment
Sign in to answer